A cryptographic key is a relatively small amount of information that is used by a cryptographicalgorithm to 'customize' the transformation of plaintext into cyphertext (during encryption) or from cyphertext to plaintext (during decryption). The same algorithm and plaintext, but with a different key will produce a quite different cyphertext, and so for decryption as well. If the decryption key is lost, encrypted data will not in practice be convertible back to its original form -- at least for high quality encryption algorithms and large enough key sizes. Thus, the security of a cryptographic key in most cases relies on its being kept secret: hence the alternative name secret key.

Most cryptographic algorithms use a single key for both encryption and decryption: they are known as symmetric key algorithms. An attacker who obtains the key (by theft, extortion, dumpster diving, or inspection of a Post-It note stuck to the side of a terminal) can recover the original message from the encrypted data, since as a matter of principle the details of the cryptographic algorithm used is assumed to be already available to the attacker. This design assumption is usually known to cryptanalysts as Kerckhoffs' law, or in more colloquial form, Shannon's Maxim. It is fully justified by long and painful practical experience over some thousands of years and no recent development has changed this reality. That secrecy of a crypto system is important (or even vital) is widely, and wrongly, believed. As a general principle one would not want one's crypto system to be fully known to the opposition, but it should remain secure even if the opposition learns all about it. The chances are excellent that they will anyway.

A new class of cryptographic encryption algorithms was discovered in the 1970s which use a pair of keys, one to encrypt and one to decrypt. Some of these asymmetric key algorithms have the property that it is not possible to determine one key from the other (so far as is currently known). Such an algorithm allows one key to be made public while retaining the private key in only one location.

Typical key sizes for estimated 'equivalent security' against a particular kind of attack (ie, brute force key space search) are 128 bits for symmetric ciphers and 2048 bits or more for public key cryptography. Elliptic curve cryptography may allow much smaller size keys for equivalent security, but these algorithms have only been known for a relatively short time and current estimates of the difficulty of brute force searching for their keys may not survive. Recently, a message encrypted using a 109-bit key elliptic curve algorithm was broken by brute force. As a result it would appear that elliptic curve algorithm keys must be somewhat the same length as symmetric key algorithm keys for equivalent security. As always, for all but the one-time pad, a theoretical breakthrough may make everything you've encrypted an open book regardless of the algorithm or algorithm type you've chosen, and a too-short key will certainly do so.

If the key is too small, the algorithm will be vulnerable to a brute force attack in which all possible values of the key are tried one by one. 'Birthday' attacks are also possible; the probability of a 'collision' between a large group of values goes up roughly as the square of the number of possible values and this applies in cryptography as well. In addition, many algorithms permit reduced effort attacks as compared to brute force key search. If the effort is sufficiently reduced, the algorithm will be 'insecure' against that attack and should not be used. It may be expected that algorithms for which no improved attack is now known, and for which a brute force attack is impractical, will be found to be insecure when some new cryptoanalytic technique is developed. When one is.

The problem of choosing a cryptographic algorithm reduces itself, in actual practice, to an estimate of how likely such an advance will be over the relevant time. Personal secrets need to be kept confidential for different durations than tactical deployment information in a battle, and still differently than some commercially valuable information (eg, the formula for Coke). There are no good answers known to this problem. Intelligent, cryptographically informed, choosers limit their choice to publicly known and publicly unbroken, but well studied, algorithms. Only algorithms from this group can be credibly thought secure. All others are either not sufficiently well tested, or are from secret organizations with adequate testing resources, but also with ulterior motives.

At the least sensible, choosing a key by increasing the value of the last used key by one is clearly foolish. Any attacker noticing the key choice pattern will be ecstatic. In fact, experience has shown that pattern in key choice are a very very significant source of breaks into otherwise well designed crypto systems. The Japanese Purple cypher machine of WWII is an example, for after the initial breakthrough by US cryptanalysts, the poor choice of keys made continuing breaks into the Purple traffic very much easier.

In general, keys _must_ be chosen randomly (or alternatively, they must be random values) while meeting other requirements of the algorithm in use. This is a fundamentally difficult, quite subtle, problem and has been 'solved' in one or another crypto system in various ways. There is an Internet RFC on generating randomness (RFC 1750, Randomness Recommendations for Security (http://www.ietf.org/rfc/rfc1750.txt)), but it is long on prescription and short on explanation. In general randomness is always a problem in cryptography, and key choice is merely another example.

Failure to handle this properly is an easy way to render any cryptosystem insecure. See randomness.

Pretty Good Privacy (PGP) is a popular program that intelligently uses both symmetric and asymmetric algorithms as part of an excellent crypto system design. PGP uses the timing between keystrokes to generate 'randomness'; thus far this has not been found unsatisfactory. A public Standard has been recently adopted for a PGP compatible crypto system. OpenPGP[?] is the standard and GPG is an implementation of it available from the Free Software Foundation. There is a Web site for the FSF which has pointers to the official Web pages for both PGP and OpenPGP.